| Issue 873: | The dashboard reveals the user’s name to everyone | |
| 6 people starred this issue and may be notified of changes. | Back to list |
Affected Version: All versions with a URL dashboard access. Reproducible on 2.1.6.1 as well What steps will reproduce the problem? 1. Visit any Gerrit web site. I will use https://review.source.android.com/ for the purpose of this bug 2 . Try to visit the dashboard of another user. It does not matter whether the user is logged in or not. EG: https://review.source.android.com/#dashboard,1 3. The number at the end can be replaced with any other number, and kept on incremented till I get the list of all the users and their names. What is the expected output? What do you see instead? Unless the user is an administrator, he should not be able to see others’ dashboard. The name alone can potentially leak information. This bug prevents the use of Gerrit in situations where users in different groups (possibly from different companies) should not know about each other.
Mar 8, 2011
Project Member
#1
bklarson@gmail.com
Mar 17, 2011
It is an issue when you have a server like partner.source.android.com that is shared by competing companies. I agree this isn't an issue for a server on an intranet, or on a public server that is used purely for open source development.
Sep 18, 2012
Marking this as WontFix as it's not really a problem anymore. With 2.5, dashboards have changed so A) /dashboard/<uid> doesn't expose a user anymore B) /dashboard/ now allows custom dashboard for constructing these sorts of pages with sections & such
Status:
WontFix
|
|
| ► Sign in to add a comment |